If you can't read please download the document
Upload
iisha-kala
View
10
Download
3
Embed Size (px)
DESCRIPTION
Information Security Notes
Citation preview
Digital Signature and Authentication
Protocols
Asst. Prof. Shreyas Patel 2
Introduction
A digital signature is an authentication mechanism that enablesthe creator of a message to attach a code that acts as asignature. The signature is formed by taking the hash of themessage and encrypting the message with the creators privatekey. The signature guarantees the source and integrity of themessage.
Mutual authentication protocols enable communicating partiesto satisfy themselves mutually about each others identity andto exchange session keys.
In one-way authentication, the receipt wants some assurancethat message is form the alleged sender.
4/9/2014
Asst. Prof. Shreyas Patel 3
Digital Signature
Message authentication protects two parties who exchange
messages from any third party.
However, it does not protect the two parties against each other.
Several forms of dispute between the two are possible.
For example, suppose that john sends an authenticated
message to mary, using one of the scheme of fig. 11.4.
consider the following dispute that could arise:
1. mary may create a different message and claim that it came
from jonh. Mary would simply have to create a message and
append an authentication code using the key that john and
mary share.
4/9/2014
Asst. Prof. Shreyas Patel 4
Digital Signature (Conti)
2. john can deny sending the message. Because it is possible
for mary to create a message, there is no way to prove that
john did in fact send the message.
Here is example of first scenario: an electronic funds transfer
takes place, and the receiver increases the amount of funds
transferred and claims that the larger amount had arrived from
the sender.
An example of the second scenario is that an electronic mail
message contains instructions to a stockbroker for a
transaction subsequently turns out badly. The sender pretends
that the message was never sent.
4/9/2014
Asst. Prof. Shreyas Patel 5
Digital Signature (Conti)
In situations where there is not complete trust between sender
and receiver, something more than authentication is needed.
The most attractive solution to this problem is the digital
signature.
It must have the following properties:
It must verify the author and the data and time of the signature.
It must to authenticate the contents at the time of the signature.
It must be verifiable by third parties, to resolve disputes.
4/9/2014
Generic Model of Digital Signature Process
4/9/2014 Asst. Prof. Shreyas Patel 6
Simplified Depiction of Essential Elements of Digital
Signature Process
4/9/2014 Asst. Prof. Shreyas Patel 7
Asst. Prof. Shreyas Patel 8
Direct Digital Signature
The direct digital signature involves only the communicating
parties (source, destination).
It is assumed that the destination knows the public key of the
source.
A digital signature may be formed by encrypting the entire
message with the senders private key or encrypting a hash
code of the message with the senders private key.
All direct schemes describe so far share a common weakness.
The validity of the scheme depends on the security of the
senders private key.
If sender later wishes to deny sending a particular message, the
sender can claim that the private key was lost or stolen and
that someone else created his or her signature.
4/9/2014
Asst. Prof. Shreyas Patel 9
Arbitrated Digital Signature
The problems associated with direct digital signatures can be
addressed by using an arbiter.
In arbitrated signature, every singed message from a sender X
to a receiver Y goes first to an arbiter A, who subjects the
message and its signature to a number of tests to check its
origin content.
The message is then dated and sent to Y with an indication
that it has been verified to the satisfaction of the arbiter.
The presence of A solves the problem faced by direct
signature schemes: that X might disown the message.
The arbiter plays a sensitive and crucial role in this sort of
scheme, and all parties must have a great deal of trust that the
arbitration mechanism is working properly.
4/9/2014
Asst. Prof. Shreyas Patel 10
Arbitrated Digital Signature (Conti)
4/9/2014
Asst. Prof. Shreyas Patel 11
Arbitrated Digital Signature (Conti)
It is assumed that the sender X and the arbiter A share a secret
key Kxa and that A and Y share secret key Kay.
X constructs a message M and computes its hash value H(M).
Then X transmits the message plus a signature to A.
The signature consists of an identifier IDx of X plus the hash
value, all encrypted using Kxa.
A decrypts the signature and checks the hash value to validate
the message.
Then A transmits a message to Y, encrypted with Kay.
The message includes IDx, the original message from X, the
signature, and a timestamp.
Y can decrypt this to recover the message and the signature.
4/9/2014
Asst. Prof. Shreyas Patel 12
Arbitrated Digital Signature (Conti)
The timestamp informs Y that this message is timely and not a
replay.
Y can store M and the signature.
4/9/2014
Asst. Prof. Shreyas Patel 13
Digital Signature Standard
The National Institute of Standards and Technology (NIST) has
publish federal information processing standards FIPS 186,
known as the Digital Signature Standard (DSS).
The DSS makes use of the secure hash algorithm (SHA) and
present a new digital signature technique the digital signature
algorithm (DSA).
The DSS originally proposed in 1991 and revised in 1993 in
response to public feedback concerning the security of the
scheme.
4/9/2014
Asst. Prof. Shreyas Patel 14
Digital Signature Standard (Conti)
The DSS Approach:
The DSS uses an algorithm that is designed to provide only
digital function.
Unlike RSA it cannot be used for encryption or key exchange.
Nevertheless it is a public-key technique.
Figure 13.1 contrasts the DSS approach for generating
signature to that RSA.
4/9/2014
Asst. Prof. Shreyas Patel 15
Digital Signature Standard (Conti)
4/9/2014
Asst. Prof. Shreyas Patel 16
Digital Signature Standard (Conti)
In RSA based approach only sender knows the private key,
only the sender could have produced a valid signature.
The DSS approach also makes use of a hash function.
The hash code is provided as input to a signature function
along with a random number k generated for this particular
signature.
The signature function also depends on the private key (PRa)
and global public key (PUg).
The result is a signature consisting of two components labeled
s and r.
4/9/2014
Asst. Prof. Shreyas Patel 17
Digital Signature Standard (Conti)
At the receiving end, the hash code of the incoming message is
generated.
This plus the signature is input to a verification function.
The output of the verification function is a value that is equal to
the signature component r if the signature is valid.
The signature function is such that only the sender with the
knowledge of the private key could have produced the valid
signature.
4/9/2014
Asst. Prof. Shreyas Patel 18
Kerberos
Kerberos is an authentication service developed as part ofProject Athena at MIT.
Rather than building in elaborate authentication protocol ateach server, Kerberos provides a centralized authenticationserver whose function is to authenticate users to servers andservers to users.
Unlike most other authentication schemes, Kerberos reliesexclusively on symmetric encryption, making no use of public-key encryption.
Two versions of Kerberos are in common use: v4 & v5.
4/9/2014
Asst. Prof. Shreyas Patel 19
Kerberos
Kerberos support following approch for security.
It requires the user to prove his or her identity for each service invoked.Also require that servers prove their identity to clients.
Kerberos assumes a distributed client/server architecture and
employs one or more kerberos server to provide an
authentication service.
Kerberos identified requirements as:
secure
reliable
transparent
scalable
4/9/2014
Asst. Prof. Shreyas Patel 20
Kerberos v4 Overview
The core of Kerberos is the Authentication and Ticket Granting Servers these are trusted by all users and servers and must be securely administered.
The protocol includes a sequence of interactions between the client, AS,TGT and desired server.
a basic third-party authentication scheme
have an Authentication Server (AS)
users initially negotiate with AS to identify self
AS provides a non-corruptible authentication credential (ticket grantingticket TGT)
have a Ticket Granting server (TGS)
users subsequently request access to other services from TGS on basis ofusers TGT
4/9/2014
Asst. Prof. Shreyas Patel 21
Kerberos v4 Dialogue
4/9/2014
1. obtain ticket granting ticket from AS
once per session
2. obtain service granting ticket from TGT
for each distinct service required
3. client/server exchange to obtain service
on every service request
Asst. Prof. Shreyas Patel 22
Kerberos v4 Overview
4/9/2014
Asst. Prof. Shreyas Patel 23
Kerberos v4 Realms
4/9/2014
A full-service Kerberos environment consisting of a
Kerberos server, a number of clients, and a number of
application servers is referred to as a Kerberos realm.
A Kerberos realm is a set of managed nodes that
share the same Kerberos database, and are part of the
same administrative domain.
If have multiple realms, their Kerberos servers must
share keys and trust each other.
Asst. Prof. Shreyas Patel 24
Kerberos v4 Realms
4/9/2014
Asst. Prof. Shreyas Patel 25
Kerberos v4 Realms
4/9/2014
Figure shows the authentication messages whereservice is being requested from another domain.
The ticket presented to the remote server indicates therealms in which the user was originally authenticated.
The server chooses whether to honor the remoterequest.
One problem presented by the foregoing approach isthat it does not scale well to many realms, as eachpair of realms need to share a key.
Asst. Prof. Shreyas Patel 26
X.509 CERTIFICATES
4/9/2014
X.509 is part of the X.500 series of recommendations that
define a directory service.
The directory is, in effect, a server or distributed set of servers
that maintains a database of information about users.
The information includes a mapping from user name to
network address, as well as other attributes and information
about the users.
X.509 defines a framework for the provision of authentication
services by the X.500 directory to its users.
Asst. Prof. Shreyas Patel 27
X.509 CERTIFICATES
4/9/2014
X.509 is based on the use of public-key cryptography and
digital signatures.
The heart of the X.509 scheme is the public-key certificate
associated with each user.
These user certificates are assumed to be created by some
trusted certification authority (CA) and placed in the directory
by the CA or by the user.
The directory server itself is not responsible for the creation of
public keys or for the certification function; it merely provides
an easily accessible location for users to obtain certificates.
Asst. Prof. Shreyas Patel 28
Generation of public key certificates
4/9/2014
Asst. Prof. Shreyas Patel 29
X.509 Certificates
4/9/2014
Asst. Prof. Shreyas Patel 30
X.509 CERTIFICATES
4/9/2014
Version: Differentiates among successive versions of the certificate
format; the default is version 1. 2 and 3 are also possible.
Serial number: An integer value unique within the issuing CA that
is unambiguously associated with this certificate.
Signature algorithm identifier: The algorithm used to sign the
certificate together with any associated parameters. Because this
information is repeated in the signature field at the end of the
certificate.
Issuer name: X.500 is the name of the CA that created and signed
this certificate.
Asst. Prof. Shreyas Patel 31
X.509 CERTIFICATES
4/9/2014
Period of validity: Consists of two dates: the first and last on which
the certificate is valid.
Subject name: The name of the user to whom this certificate
refers.That is, this certificate certifies the public key of the subject
who holds the corresponding private key.
Subjects public-key information: The public key of the subject,
plus an identifier of the algorithm for which this key is to be used,
together with any associated parameters.
Issuer unique identifier: An optional-bit string field used to
identify uniquely the issuing CA in the event the X.500 name has
been reused for different entities.
Asst. Prof. Shreyas Patel 32
X.509 CERTIFICATES
4/9/2014
Subject unique identifier: An optional-bit string field used to
identify uniquely the subject in the event the X.500 name has been
reused for different entities.
Extensions: A set of one or more extension fields. Extensions were
added in version 3.
Signature: Covers all of the other fields of the certificate; it
contains the hash code of the other fields encrypted with the CAs
private key.This field includes the signature algorithm identifier.
Asst. Prof. Shreyas Patel 33
X.509 CERTIFICATES
4/9/2014
Asst. Prof. Shreyas Patel 34
X.509 CERTIFICATES
4/9/2014
Because certificates are unforgeable, they can be placed in a
directory without the need for the directory to make special efforts
to protect them.
All user certificates can be placed in the directory for access by all
users.
In addition,a user can transmit his or her certificate directly to other
users.
In either case, once B is in possession of As certificate, B has
confidence that messages it encrypts with As public key will be
secure from eavesdropping and that messages signed with As
private key are unforgeable.
Asst. Prof. Shreyas Patel 35